List of Adversary Emulation Tools

Posted: 1 year ago by @pentestit26079 viewsUpdated: May 17, 2019 at 10:43 pm

Every once in a while, the security industry brings forth a new buzz word and introduces terminologies that sound über cool and generate lot’s of interest. One such word going around now-a-days is automated “adversary emulation“. Let’s first understand what this really means. Adversary emulation/simulation offers a method to test a network’s resilience against an advanced attacker, albeit in this case all tests are run by a system. If this was a real ‘adversary’, a system would not have run these simulations. Nevertheless, there is a huge market of tools which help you verify if your security tools are running as required; both commercial and open source, that help run these simulations. Infact, MITRE also has developed an Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™), which is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life-cycle and the platforms they are known to target. Most tools seem to follow this framework. Without much ado, let’s get on to the list of adversary emulation tools.

Open Source Adversary Emulation Tools:

CALDERA: CALDERA offers an intelligent, automated adversary emulation system that can reduce resources needed by security teams for routine testing, freeing them to address other critical problems.It can be used to test endpoint security solutions and assess a network’s security posture against the common post-compromise adversarial techniques contained in the ATT&CK model. CALDERA leverages the ATT&CK model to identify and replicate adversary behaviors as if a real intrusion is occurring. Download CALDERA from here.

Metta: Uber recently open sourced this adversarial simulation tool, which was born out of multiple internal projects. Metta uses Redis/Celery, python, and vagrant with VirtualBox to perform adversarial simulation, which allows you to test your host based security systems. This also may allow you to test other network based security detection and controls depending on how you set up your vagrants. Metta is compatible with Microsoft Windows, MacOS and Linux endpoints. Get Uber Metta here.

APT Simulator: APT Simulator is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised. It helps you simulate a real threat in a more veritable way. Obviously, this is a Windows only solution that can be downloaded here.

Red Team Automation: Again, open sourced recently by Endgame, Red Team Automation (RTA) is a set of 38 scripts and supporting executable’s that generate reliable artifacts which correspond to techniques in the ATT&CK™ framework. As of now, RTA provides coverage of 50 ATT&CK™ techniques which is set to increase over time. I believe, this tool offers a very good Endpoint Detection and Response (EDR) coverage. RTA supports Microsoft Windows and is coded in python and can perform anti-forensics operations, spread via lateral movement, bypass UAC (User Account Control) among others. Download Endgame RTA here.

Invoke-Adversary: A really new entrant in the adversary emulation field – Microsoft’s Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. This infact was inspired by APT Simulator! As of now, it test for persistence, discovery, credential access,defense evasion, information collection, command & control, execution & AppLocker bypass. Get it here.

Atomic Red Team: Red Canary’s Atomic Red Team is yet another adversary emulation framework that is open source and provides you with capabilities to test your detection. This was introduced last year and surely has been improving since. The ART maps small and highly portable detection tests to the Mitre ATT&CK Framework. This framework is not automated, yet supports Microsoft Windows, MacOS & Linux flavours. Download ART here.

Infection Monkey: Guardicore Infection Monkey is yet another open source breach & attack simulation tool to evaluate the security posture of your network. It helps you test your network’s resiliency to perimeter breaches and internal server infection.The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. It is also coded in Python and works on Microsoft Windows & Linux systems. Get Infection Monkey here.

Blue Team Training Toolkit (BT3): Encripto Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level. The toolkit allows you to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.It is written in Python and includes the latest version of Encripto’s Maligno, Pcapteller and Mocksum. It also includes multiple malware indicator profiles that ensure a “plug & play” experience, when planning and preparing a training session, incident response drill or red team engagement. Download Blue Team Training Toolkit v2.6here.

DumpsterFire: DumpsterFire is a modular, menu-driven & cross-platform tool in Python for building customized, time-delayed, distributed security events. It allows you to easily create custom event chains for Blue Team drills and sensor/alert mapping. Red Teams can also create decoy incidents, distractions, and lures to support and scale their operations. Download DumpsterFire v1.0.0here.

AutoTTP: Short for Automated Tactics Techniques & Procedures, AutoTTP is based on the authors attack life cycle model. It uses a well established PowerShell and Python post-exploitation project – Empire. This is still a work in progress. Download AutoTTP here.Updated 9/4/2018:

NSA Unfetter: Unfetter is a project designed to help network defenders, cyber security professionals, and decision makers identify and analyze defensive gaps in a scalable and repeatable way. By featuring the groups and techniques of the ATT&CK™ model combined with the analytics, data model, and sensors of the Cyber Analytics Repository (CAR), Unfetter offers an opportunity for the community to come together and move beyond indicators toward a behavioral-based methodology. Check it out here. Updated 12/7/2018:

MATE: It stands for MITRE ATT&CK® Technique Emulation. It depends on another project already listed in this list – the Atomic Red Team. It iterates over modified Atomic Red Team yaml files and create objects for each test. The objects will allow for automating execution of MITRE ATT&CK® techniques to test defenses. Check it out here: mate.ps1 Updated 4/16/2019:

Purple Team ATT&CK™ Automation: This automation toolkit uses the trusted Metasploit Framework post modules to evaluate detection and response capabilities by mapping them as MITRE ATT&CK™ TTPs. As of today, there are over 100 TTPs that have been automated that cover multiple operating systems. Check this project here.

Honourable mention for the following open source tools as they technically are not adversary emulation tools:

Invoke-ATTACKAPI: This is an open source PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software and references. Get this script here.Updated 11/27/2018:

PoSh_ATTCK: Similar to Invoke-ATTACKAPI, PoSh_ATTCK is a set of Cmdlets to manipulate the ATT&CK data from the command line. This is done by querying fetching the data from the MITRE published JSON blob. Check it out here: PoSh_ATTCK.ps1.Updated 12/7/2018:

ATT&CK Python Client: Somewhat similar to the scripts/tools above, this is a Python Script to access up to date ATT&CK content available in STIX via a public TAXII server. Check this project our here.Updated 12/11/2018:

Atomic-Parser: This open source Python project again depends on another project already listed in this list – the Atomic Red Team. It recursivly loops through the Atomic .yaml files and prints out ATT&CK behavior and detection/prevention rules based the command executors observed. Pretty cool eh! Check it out here.Updated 5/17/2019:

Atomic-Caldera: This is a Python 3 script to convert Red Canary Atomic Red Team Tests to MITRE Caldera 2.0 Stockpile YAML ability files. This helps you to run tests from Red Canary’s Atomic Red Team with the testing framework of MITRE’s Caldera. Check it out here.

Commercial Adversary Emulation Tools:

Cobalt Strike:‍ Software for Adversary Simulations and Red Team Operations. Needs no introduction. Check it out here.

Immunity Adversary Simulation: This platform allows you to model an advanced persistent threat from inside your infrastructure and evaluate how your security team will react to a real world offensive team that is active on your network and attempting to ex-filtrate large amounts of data. Check it out here.

SafeBreach: This software platform simulates adversary breach methods across the entire kill chain, without impacting users or your infrastructure. Check it out here.

SimSpace: They seem to use Wormhole, a 0-day simulator for training on Windows and Linux. Check them out here.Updated 4/15/2018:

AttackIQ FireDrill: Automated scenarios to run continuously, and launch targeted scenarios such as mimic real-world malware and attack vectors on demand. More information here.

Picus Security: A relatively new entrant in this market, Picus reveals security gaps in your network by simulating real-world attacks. It also performs security control assessments. Check them out here.Updated 5/2/2018:

Attack Simulator: This is a part of the Office 365 Threat Intelligence. If you are a member of your organization’s security team, you can run realistic attack scenarios such as display name spear-phishing attack, password-spray attack or brute-force password attack in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line. Check it out here.Updated 9/4/2018:

SCYTHE: SCYTHE was designed from the ground-up as a modular platform – with every Module and component built using an SDK – for creating and executing new C&C protocols, and endpoint capabilities. The SDK can be leveraged to create new C2 and capabilities modules, allowing advanced users access to the full power of SCYTHE’s customization and automation. This was the first commercial product that I managed to get a demo of and by the looks if it, this platform really looks exciting, the only drawback being that lateral movement is not currently supported. Check them out here.Updated 10/8/2018:

Tear Drop: Guys behind Leviathan have come up with a new product – Tear Drop. It helps you prepare your network defense staff for the highly sophisticated targeted attacks your organization may face. To make Tear Drop as realistic as possible, Tear Security constantly update their approach to mirror the current adversary methods. Check them out here.Updated 10/17/2018:

Threatcare: Threatcare is a standalone desktop application that allows you to leverage Breach and Attack Simulations and other techniques. It helps you to continuously monitor your controls and provide actionable reports that guide you to quick remediation. With the addition of Threatcare agents, you gain the capability to schedule techniques and playbooks across multiple networks simultaneously. What’s more is that they have a FREE version too! Check them out here.

The above list does not include services such as MDSec’s ActiveBreach, Nk33, FusionX, Red Siege, Spectre Ops & TrustedSec as it is claimed that they are carried out by real humans. Let me know if I missed any adversary emulation tools or commercial services.

Featured Post

Three days ago, an updated version – Sysdig Falco v0.15.0 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support. This release incorporates a lot of rule updates that are now also tagged the for MITRE ATT&CK Framework and patches CVE-2019-8339, a medium severity vulnerability.Read more about UPDATE: Sysdig Falco v0.15.0